wechat-article-to-markdown

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises: it turns a user-provided WeChat article URL into local Markdown and image files.

Install and run it only in a directory where saving article text, images, and possible debug HTML is acceptable. Be aware that Camoufox runs a headless browser and is a substantial third-party dependency. I found no artifact-backed evidence of hidden credential access, unrelated data collection, destructive behavior, or background persistence.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The skill documentation states the output paths, but it does not clearly warn users that full article content and downloaded images will be stored on local disk as a side effect. This can lead to accidental retention of copyrighted, sensitive, or unwanted content on shared machines or automated environments where users expected a transient conversion only.

VirusTotal

No VirusTotal findings

View on VirusTotal